Estimated reading time: 8 minutes
At some point in the last year, month, day, or hour, you probably typed a password into a glowing rectangle while half paying attention on a train, in a meeting, in bed, because the modern world runs on a small, forgettable act of faith: yes, it’s really me. The old image of a brute force cyberattack might be imagined as a burglar at a window, a crowbar, and a broken latch. But the truth? From AI risk to the inadvertent click by flesh-and-blood, cyber risk looks like a familiar key turning in a familiar lock. No shattered glass. No alarm. Just a clean, legitimate login that shouldn’t be there.
That shift away from “breaking in” and toward simply signing in is the central claim of Darktrace’s Annual Threat Report 2026, released Thursday. The company says publicly disclosed software vulnerabilities rose 20% in 2025. Still, attackers increasingly treated those weaknesses like background noise, opting instead for the low-friction power of stolen credentials and misused accounts. In the Americas, Darktrace found, nearly 70% of incidents began with compromised identity. This statistic reads less like a technical finding than a cultural diagnosis of the cloud era, where access is everything, and identity risk sits at the true perimeter.
Darktrace CISO Mike Beck set the tone in his blog. “Are we still in control as complexity and automation scale faster than humans?” Beck wrote.
Identity Cyber Risk Takes Center Stage
Darktrace identified identity as the main target in 2025. In its press release, the company called identity cyber risk “the new perimeter.” This makes sense for today’s SaaS environments, where a single trusted session can grant access to email, storage, payroll, and vendor systems.
At first, this kind of access appears normal. The report warned that phishing attackers “leverage trusted platforms and domains” to increase their success rate. In reality, attackers blend in with everyday activity, leaving security teams to look for small signs of trouble.
Phishing Grows In Volume And Craft
In 2025, Darktrace / EMAIL found over 32 million high-confidence phishing emails across its network. VIPs received more than 8.2 million of these, making up over a quarter of all detected phishing. This focus is clear: criminals want easy access to privileged accounts.
QR code phishing also increased. Darktrace found over 1.2 million QR code phishing emails in 2025. The report described split QR codes and QR code nesting as ways to avoid detection. These tactics help attackers bypass link scanning and encourage users to trust quick scans.
Frequent changes in domains made phishing harder to stop. Darktrace saw about 1.6 million phishing emails linked to new domains. Authentication checks were not enough, as 70% of phishing emails passed DMARC authentication.
Cyber Risk Vulnerabilities Rise, Exploitation Speeds Up
The number of CVEs increased, even though many attacks focused on identity. Darktrace reported 48,185 published CVEs in 2025, more than in 2024. The bigger shift is that speed automated scanning now gives defenders less time to respond.
The React2Shell incident showed this new speed. Darktrace said attackers exploited the flaw “within hours” of setting up a React honeypot. The report linked most cloud incidents to simple issues like misconfigurations and unpatched vulnerabilities.
Darktrace also pointed out that detecting threats before public disclosure is a key advantage. Anomaly signals can spot unusual logins and unexpected transfers before a CVE becomes known.
THE CYBER INSURANCE NEWS PODCAST ON AI IDENTITY RISK
Cloud And Containers Draw Heavy Fire
The report described the cloud as a busy battleground. Darktrace’s Cloudypots tracked attacks on services like Docker, Jupyter, and React. When looking at unique hostile IPs, Docker was the top target, making up 54.3% of malicious sources. This matches patterns seen in cryptomining and widespread abuse.
The report also noted fast-moving attack campaigns. These included hybrid attacks across both on-premises and SaaS systems, as well as cloud attacks in Azure Kubernetes and Amazon S3. Such combinations make it harder to contain incidents and assess claims.
Ransomware Keeps Double Extortion In Play
Ransomware remained a serious problem in 2025, according to Darktrace. The most common strains were Akira, Qilin, RansomHub, Lynx, and INC. The report found that many Akira cases started with attacks on SonicWall devices. Qilin was described as a ransomware-as-a-service group that grew in 2025.
Credentials were key in these attacks. Darktrace reported that administrative or service credentials were compromised in nearly half of Akira or Qilin cases. This is important for insurers, as it highlights the need for strong privileged access management and quick credential resets.
Critical Infrastructure Becomes A Strategic Arena
The report described Critical National Infrastructure as a “strategic battleground.” It linked risks to geopolitical tensions and digital changes. Darktrace detailed attacks that disrupted national services, including energy targets related to the Russia-Ukraine conflict, and warned about attackers preparing for future disruptions.
China-linked activity was a major focus. Darktrace reported that Salt Typhoon infiltrated U.S. telecommunications to gather intelligence. Volt Typhoon placed implants in U.S. critical infrastructure as preparation for possible disruptive attacks. The report also mentioned proxy and hybrid attack models, and noted DPRK-linked activity related to cryptomining and React2Shell exploitation.
Attackers also abused trust through social engineering aimed at critical infrastructure staff. Darktrace identified ClickFix tactics, where users are tricked into running malicious commands after seeing fake CAPTCHA prompts.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
CISO Blog Targets The Boardroom
Beck’s blog is aimed at executives who make decisions about security and cyber risk. He described identity and automation as the new areas of concern. He also measured CISO performance by how well they handle recovery and continuity. His comments about control are especially relevant for cyber insurers, linking technical breaches to downtime and wider losses.
What This Means For Insurers And CISOs
The report highlights a few key controls. Strong defenses against phishing help prevent initial breaches. Ongoing cloud management reduces the risk of misconfiguration. Careful management of privileges limits the damage if accounts are compromised.
Insurers may also require proof of identity monitoring. They might ask about session risk signals, not just whether MFA is in place. Claims teams could see faster escalation if stolen credentials allow attackers to move within systems.
A Plain Analogy For Everyone
Imagine a busy hotel with sturdy doors and secure locks. If a thief gets hold of a real keycard, the staff don’t notice anything is wrong because the keycard works as expected.
FAQ Summary: Darktrace Annual Threat Report 2026
It is Darktrace’s yearly threat assessment based on 2025 telemetry and casework.
It summarizes global attacker tactics and the drivers of cyber risk in 2026.
The report puts identity abuse at the center of modern intrusions.
Darktrace calls it, “Identity is the new perimeter.”
Attackers steal accounts and use valid permissions to move quietly.
They blend into normal workflows and delay detection.
That pattern turns trust into an attack surface.
Darktrace counted 48,185 published CVEs in 2025.
That figure rose 20.6% year over year.
The report links the surge to faster exploitation cycles.
Darktrace detected over 32 million high-confidence phishing emails in 2025.
VIPs received more than 8.2 million phishing emails.
Attackers chased privileged access and faster fraud.
Darktrace logged over 1.2 million QR-code phishing emails in 2025.
The company reported a 28% increase versus 2024.
The report describes “splishing” and QR nesting as evasion tricks.
Darktrace says 70% of phishing emails passed DMARC authentication.
Attackers used legitimate services and domains to look trustworthy.
Teams need behavior signals, not only authentication checks.
Azure drew 43.5% of observed malware samples in Darktrace cloud honeypots.
GCP drew 33.2%, and AWS drew 23.2%.
Docker led by unique hostile IPs at 54.3%.
The report says double extortion remained common in 2025.
Top observed strains included Akira, Qilin, RansomHub, Lynx, and INC.
Darktrace linked 78% of Akira cases to edge devices, often SonicWall.
It found admin or service credentials compromised in almost half of Akira or Qilin cases.
Darktrace describes CNI as a strategic target for state-linked activity.
It cites disruption risk tied to energy and telecom targeting.
It highlights Salt Typhoon and Volt Typhoon as pre-positioning concerns.
Beck frames security as a control problem at machine speed.
He wrote, “Are we still in control as complexity and automation scale faster than humans?”
He stresses fast detection, autonomous response, and blast-radius reduction.
Treat identity monitoring as core resilience, not a side project.
Measure session behavior and privilege drift across SaaS.
Harden edge access paths and rotate exposed credentials fast.
Plan for rapid containment to reduce outage time and claim severity.
Key Numbers At A Glance
- 48,185 CVEs published in 2025.
- 32 million phishing emails detected in 2025.
- 8.2 million phishing emails targeted VIPs.
- 1.2 million QR-code phishing emails in 2025.
- 70% of phishing emails passed DMARC.
- Azure: 43.5% of observed malware samples in cloud honeypots.
- Docker: 54.3% by unique malicious IP targeting.
Related Cyber Risk Insurance News Posts
- Security Chiefs Hit Brakes – AI Risk Concerns Spike
- Cyber Insurance Glossary
- Cyber Insurance News Podcast: Willis’ Peter Foster on Pixels, Privacy and Claims
- Cyber Insurance News & Information Podcast
- Cyber Insurance Market Size is Growing Fast But Cyber Insurance Rates Are Shrinking?
